RADIUS TLS Hardening

System Overview

    • Operating System: Windows Server 2019 with RADIUS role
    • Hardening Configuration: TLS Protocols and Cipher according to Mozilla Intermediate


After applying the hardening configuration WLAN clients could not authenticate to RADIUS and therefore not connect to the wireless LAN.


RADIUS in our case uses EAP-TLS as authentication protocol. As defined in rfc5216 section-2.4 EAP-TLS requires the cipher suite TLS_RSA_WITH_3DES_EDE_CBC_SHA.

Further it recommends supporting TLS_RSA_WITH_RC4_128_SHA and TLS_RSA_WITH_AES_128_CBC_SHA [RFC3268]


Add the cipher suite TLS_RSA_WITH_3DES_EDE_CBC_SHA to the end of the cipher suites list.


After applying the updated hardening configuration try to login to the WLAN.



Leave a Reply